CN115455440A - Transparent encryption method and device, electronic equipment and storage medium - Google Patents

Transparent encryption method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115455440A
CN115455440A CN202210906526.0A CN202210906526A CN115455440A CN 115455440 A CN115455440 A CN 115455440A CN 202210906526 A CN202210906526 A CN 202210906526A CN 115455440 A CN115455440 A CN 115455440A
Authority
CN
China
Prior art keywords
file
operation request
file system
virtual disk
real
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210906526.0A
Other languages
Chinese (zh)
Inventor
徐天骥
刘才军
郭彬
段江南
黄景平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi Cloud Technology Co Ltd
Original Assignee
Tianyi Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi Cloud Technology Co Ltd filed Critical Tianyi Cloud Technology Co Ltd
Priority to CN202210906526.0A priority Critical patent/CN115455440A/en
Publication of CN115455440A publication Critical patent/CN115455440A/en
Priority to PCT/CN2022/141882 priority patent/WO2024021496A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • G06F9/5016Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals the resource being the memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • G06F9/5022Mechanisms to release resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/007Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to the technical field of encryption, in particular to a transparent encryption method, a device, electronic equipment and a storage medium, wherein the method comprises the steps of obtaining an operation request of a target file, wherein the operation request carries attribute information of the target file; determining the type of the operation request based on the attribute information, wherein the type of the operation request comprises an authorized operation request or an unauthorized operation request; redirecting the operation request to a virtual disk file system or a real file system according to the type of the operation request, wherein the virtual disk file system is used for interacting with the real file system, the virtual disk file is used for caching the decrypted target file, and the real file system is used for storing the encrypted target file. The virtual disk file system realizes the isolation of two forms of the same target file, and the isolation is carried out based on the type of the operation request during redirection, thereby realizing the transparent encryption of double-file control and having the high performance and stability of a layered file system.

Description

Transparent encryption method and device, electronic equipment and storage medium
Technical Field
The invention relates to the technical field of encryption, in particular to a transparent encryption method and device, electronic equipment and a storage medium.
Background
Transparent encryption refers to protecting files on a user computer on the premise of not changing the operation habits of the user. Encrypting the file when the file is written into a disk; when the process is read, the authorized process is decrypted according to the process judgment, and other unauthorized processes do not decrypt. Therefore, the method and the device can support the user to edit and use the file daily, prevent the user from sending the encrypted file out to reveal the secret, and ensure the data security.
Disclosure of Invention
In view of this, embodiments of the present invention provide a transparent encryption method, apparatus, electronic device and storage medium to solve the problem of transparent encryption.
According to a first aspect, an embodiment of the present invention provides a transparent encryption method, including:
acquiring an operation request of a target file, wherein the operation request carries attribute information of the target file;
determining the type of the operation request based on the attribute information, wherein the type of the operation request comprises an authorized operation request or an unauthorized operation request;
redirecting the operation request to a virtual disk file system or a real file system according to the type of the operation request, wherein the virtual disk file system is used for interacting with the real file system, the virtual disk file is used for caching the decrypted target file, and the real file system is used for storing the encrypted target file.
The transparent encryption method provided by the embodiment of the invention realizes the isolation of two forms of the same target file through the virtual disk file system, namely, the encrypted target file is stored in the real file system, the decrypted target file is cached in the virtual disk file system, and the operation is specifically carried out based on the type of the operation request during redirection, so that the transparent encryption of double-file control is realized, and the transparent encryption method has the high performance and the stability of a layered file system.
In some embodiments, the redirecting the operation request to a virtual disk file system or a real file system according to the type of the operation request includes:
when the type of the operation request is an authorized operation request, redirecting the operation request to the virtual disk file system;
and performing plaintext processing on the operation request based on the virtual disk file system.
According to the transparent encryption method provided by the embodiment of the invention, only when the type of the operation request is determined to be the authorized operation request, the operation request is redirected to the virtual disk file system, so that the reliability of plaintext data is ensured.
In some embodiments, the virtual disk file system includes a virtual disk and an encrypted file system, where the virtual disk is used to mount the encrypted file system, and the encrypted file system is used to read the encrypted target file from the real file system for decryption.
According to the transparent encryption method provided by the embodiment of the invention, the shadow file maintained by the encryption file system and the file maintained by the real file system actually correspond to the same physical disk file, the shadow file accesses a plaintext, the real file system accesses a ciphertext, and the transparent encryption method has high performance and high stability. And a redirection mechanism is adopted to forward the operation request to the virtual disk, and the operation request is compatible with antivirus software, so that a blue screen and the like caused by the fact that the operation request of the shadow file is transmitted to a real file system are prevented.
In some embodiments, the performing a plaintext operation on the target file based on the virtual disk file system includes:
reading the shadow file in the virtual disk to obtain an access path of the encrypted target file in the real file system;
reading the encrypted target file from the real file system based on the access path;
and decrypting the encrypted target file by using an encrypted file system, and caching a decryption result by using the shadow file so as to perform plaintext operation on the target file.
The transparent encryption method provided by the embodiment of the invention stores the access path of the encrypted target file in the real file system in the shadow file, and reads and decrypts the encrypted target file by using the access path only when receiving the operation request, so that unnecessary memory overhead can be reduced by limiting the reading time.
In some embodiments, the reading the shadow file in the virtual disk to obtain the access path of the encrypted target file in the real file system includes:
when an authorized opening request of the target file is acquired, a file is created in the virtual disk;
and recording an access path of the encrypted target file in the real file system in the shadow file.
In some embodiments, the method further comprises:
and when the request for closing the authorization of the target file is acquired, the shadow file is cleared in the virtual disk.
According to the transparent encryption method provided by the embodiment of the invention, the shadow file is created according to the requirement and is cleared according to the requirement, so that the memory space can be released in time, and the memory consumption is reduced.
In some embodiments, the method further comprises:
when the operation request is an unauthorized operation request, redirecting the operation request to the real file system;
and carrying out ciphertext operation on the target file based on the real file system.
The transparent encryption method provided by the embodiment of the invention directly redirects the operation request to the real file system for ciphertext operation for the unauthorized operation request, thereby improving the security of the target file.
According to a second aspect, an embodiment of the present invention further provides a transparent encryption apparatus, including:
the acquisition module is used for acquiring an operation request of a target file, wherein the operation request carries attribute information of the target file;
a determining module, configured to determine a type of the operation request based on the attribute information, where the type of the operation request includes an authorized operation request or an unauthorized operation request;
and the redirecting module is used for redirecting the operation request to a virtual disk file system or a real file system according to the type of the operation request, wherein the virtual disk file system is used for interacting with the real file system, the virtual disk file is used for caching the decrypted target file, and the real file system is used for storing the encrypted target file.
According to a third aspect, an embodiment of the present invention provides an electronic device, including: a memory and a processor, the memory and the processor being communicatively connected to each other, the memory storing therein computer instructions, and the processor executing the computer instructions to perform the transparent encryption method according to the first aspect or any one of the embodiments of the first aspect.
According to a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium storing computer instructions for causing a computer to execute the transparent encryption method described in the first aspect or any one of the implementation manners of the first aspect.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 illustrates a transparent encryption diagram based on a hierarchical file system;
FIG. 2 is a flow diagram of a transparent encryption method according to an embodiment of the present invention;
FIG. 3 is a flow diagram of a transparent encryption method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a transparent encryption method according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a transparent encryption method according to an embodiment of the present invention;
fig. 6 is a block diagram of the structure of a transparent encryption apparatus according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Generally, transparent encryption is realized based on a windows kernel layer, requests such as opening and closing, reading and writing files and the like are filtered by the kernel layer, and whether encryption or decryption is carried out is determined according to the authority of different processes and file types. However, since the windows operating system has a cache mechanism, reading and writing the same file by different processes is actually reading and writing the same file cache in a state that the cache mechanism is opened. The authorized process needs to access the plaintext, while the unauthorized process needs to access the ciphertext, which results in that the cache switching is needed when the two processes alternately operate the same encrypted file. However, this type of approach not only degrades performance, but frequent flushing may also damage the file.
Further, a double caching scheme based on a hierarchical file system (i.e., layerfsd) exists to address performance issues. The hierarchical file system is to extend a traditional encryption filtering driver into a semi-filtering driver semi-file system, the encryption driver not only filters file read-write requests, but also interacts with a windows io manager, a cache manager and a kernel manager, establishes and maintains two file control blocks (FCB for short) for the same disk file, and establishes two caches. Therefore, the authorized process and the unauthorized process are equivalent to accessing two files without mutual interference, the performance problem is solved, and the stability is improved. However, layerfsd is not a true file system, but is a filter driver on the same level as the antivirus software. In order to prevent some malicious software from threatening user data by adopting a method of filtering file operation, antivirus software can directly acquire file system driving equipment of a current disk after intercepting a user read-write request at an upper layer, and transmit user data to a bottom layer file system, so that all filtering driving layers in the middle are bypassed, including layered file system driving. This not only causes errors in the encrypted file data, but also makes it more likely that the underlying file system will crash the blue screen because it receives an FCB that it did not create itself.
For example, as shown in fig. 1, the technology based on the hierarchical file system implements all file system interfaces, but does not register as a real file system, and its essence is still a file filtering driver, mounted on the same volume device as the real file system. Therefore, if some antivirus software or malware also adopts a file filter driving mode, the access request of the shadow FCB is filtered, the access request is acquired to the bottom-layer file system equipment through the access request, then the access request is directly sent to the bottom-layer file system, the file system receives an FCB which does not belong to self maintenance, and the system is likely to be directly crashed when relevant data is read and written.
The transparent encryption method provided by the embodiment of the invention firstly determines the type of the operation request, and then redirects the operation request to the virtual disk file system or the real file system according to the type of the operation request, so as to realize the respective storage and maintenance of the decrypted target file and the encrypted target file. Namely, the method realizes transparent encryption of double-file control, and has high performance and stability of a hierarchical file system.
Further, the transparent encryption method provided by the embodiment of the invention can also solve the problem of compatibility with antivirus software. In the embodiment of the invention, because the encrypted file system is registered as a real file system and mounted to the virtual disk, even if antivirus software and the like filters the access request of the shadow FCB, the volume device obtained through the access request is still the virtual disk volume, and the sent access request is finally still processed by the encrypted file system, so that normal transparent encryption and decryption can be realized.
In accordance with an embodiment of the present invention, there is provided a transparent encryption method embodiment, it being noted that the steps illustrated in the flowchart of the figure may be carried out in a computer system such as a set of computer-executable instructions, and that while a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be carried out in an order different than here.
In this embodiment, a transparent encryption method is provided, which may be used in an electronic device, such as a terminal, a server, and the like, and fig. 2 is a flowchart of the transparent encryption method according to the embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
s11, acquiring an operation request of the target file.
Wherein, the operation request carries the attribute information of the target file.
The operation request includes, but is not limited to, operations such as modification, deletion, and copying of the target file, which are specifically set according to actual needs, and is not limited herein. The operation request is a request issued when a specific processing operation is performed on the target file after the open request. The attribute information includes file information and process information of the target file, the file information includes operation information of the target file, that is, which operation is specifically executed, and the process information indicates which process is currently accessed.
And S12, determining the type of the operation request based on the attribute information.
Wherein the type of the operation request comprises an authorized operation request or an unauthorized operation request.
The file with authorized operation and the corresponding process thereof, and the file with unauthorized operation and the identification of the process thereof are configured in the electronic equipment. After the attribute information is obtained, matching is carried out by utilizing file information in the attribute information, and an authorization process corresponding to the file is determined; and matching the process information with the authorization process to determine the type of the operation request. For example, the process corresponding to the document or table is determined as an authorized process, and the process corresponding to the outgoing message is determined as an unauthorized process.
And S13, redirecting the operation request to a virtual disk file system or a real file system according to the type of the operation request.
The virtual disk file system is used for interacting with a real file system, the virtual disk file is used for caching the decrypted target file, and the real file system is used for storing the encrypted target file.
And the isolation from a real file system is realized by configuring a virtual disk file system. The encrypted target file is stored in the real file system, and the decryption operation on the encrypted target file is realized through the virtual disk file system, so that the virtual disk file system is used for caching the decrypted target file.
After the type of the operation request is determined, the operation request is redirected to a file system corresponding to an authorized operation request or an unauthorized operation request. The authorized operation request corresponds to the virtual disk file system, and the unauthorized operation request corresponds to the real file system. For the authorization operation request, the decrypted target file can be accessed, and corresponding processing is carried out on the decrypted target file according to the operation request; for an unauthorized operation request, the unauthorized operation request can only access the encrypted target file, and all operations are performed on the encrypted target file.
The transparent encryption method provided in this embodiment implements two types of isolation of the same target file through the virtual disk file system, that is, the encrypted target file is stored in the real file system, and the decrypted target file is cached in the virtual disk file system, specifically, based on the type of the operation request during redirection, thereby implementing transparent encryption of dual file control, and having high performance and stability of the layered file system.
In this embodiment, a transparent encryption method is provided, which may be used in an electronic device, such as a terminal, a server, and the like, and fig. 3 is a flowchart of the transparent encryption method according to the embodiment of the present invention, as shown in fig. 3, the flowchart includes the following steps:
s21, acquiring an operation request of the target file.
Wherein, the operation request carries the attribute information of the target file.
Please refer to S11 in fig. 2, which is not repeated herein.
And S22, determining the type of the operation request based on the attribute information.
Wherein the type of the operation request comprises an authorized operation request or an unauthorized operation request.
Please refer to S12 in fig. 2 for details, which are not described herein.
And S23, redirecting the operation request to a virtual disk file system or a real file system according to the type of the operation request.
The virtual disk file system is used for interacting with a real file system, the virtual disk file is used for caching the decrypted target file, and the real file system is used for storing the encrypted target file.
In some embodiments, the virtual disk file system includes a virtual disk and an encrypted file system, the virtual disk is used for mounting the encrypted file system, and the encrypted file system is used for reading the encrypted target file from the real file system for decryption. The virtual disk is implemented using a memory disk, provides a sandbox-like environment for mounting the encrypted file system and is hidden from the user. The encrypted file system is mounted to the virtual disk, all file system interfaces are realized on an upper layer, the operations such as upper layer reading and writing are processed, interaction with a windows memory manager and a cache manager is realized, and a shadow file and an encrypted plaintext cache are maintained. And interacting the lower layer with the real file system where the encrypted target file is located when the disk data is read and written, processing the encryption and decryption of the data, hiding the encryption mark and the like.
In order to realize the redirection processing of the operation request, the redirection is realized through the encapsulated redirection module. For example, a file filter driver written using a micro-filtering framework is mounted on each disk volume of an electronic device. File operations are passed in the kernel driver device stack through operation requests constructed by the IO manager. The mounted file filter driver can intercept all operation requests on the current disk volume, and the operation requests contain the information of the current file operation. The redirection module can determine whether to redirect the file access request to the virtual disk file system according to the file information and the process information in the intercepted operation request, so that the authorized process and the unauthorized process can access the two files.
The shadow file maintained by the encrypted file system and the file maintained by the real file system actually correspond to the same physical disk file, the shadow file is used for caching the decrypted data, namely the shadow file accesses a plaintext, and the real file system accesses a ciphertext, so that the method has high performance and high stability. And a redirection mechanism is adopted to forward the operation request to the virtual disk, and the operation request is compatible with antivirus software, so that a blue screen and the like caused by the fact that the operation request of the shadow file is transmitted to a real file system are prevented.
Based on this, the above S23 includes:
and S231, when the type of the operation request is an authorized operation request, redirecting the operation request to the virtual disk file system.
And S232, performing plaintext processing on the operation request based on the virtual disk file system.
When the type of the operation request is an authorized operation request, the operation request is re-characterized to the virtual disk file system by using the above-mentioned redirection module, and since the access of the shadow file in the virtual disk file system is in a plaintext form, the operation request is subjected to plaintext processing in the virtual disk file system.
In some embodiments, S232 includes:
(1) And reading the shadow file in the virtual disk to obtain an access path of the encrypted target file in the real file system.
(2) And reading the encrypted target file from the real file system based on the access path.
(3) And decrypting the encrypted target file by using the encrypted file system, and caching a decryption result by using the shadow file so as to perform plaintext operation on the target file.
And the shadow file is used for storing an access path of the encrypted target file in the real file system, and when the operation requirement on the target file exists, the encrypted target file is read from the real file system by using the access path recorded in the shadow file. And then, the encrypted target file is decrypted by using the encrypted file system to obtain the decrypted target file. And caching the decrypted target file by using the shadow file, and based on the cache, processing the plaintext data cached in the shadow file for the specific processing of the operation request.
Storing the access path of the encrypted target file in the real file system in the shadow file, and reading and decrypting the encrypted target file by using the access path only when an operation request is received, wherein unnecessary memory overhead can be reduced by the limitation of reading time.
In some embodiments, step (1) of S232 above includes:
1.1 When an authorized open request for the target file is obtained, a file for the file is created in the virtual disk.
1.2 Record the access path of the encrypted target file in the real file system in the shadow file.
For the shadow file, when an authorized opening request of the target file is obtained, the shadow file is created in the virtual disk, the shadow file is initialized, and meanwhile, an access path of the encrypted target file in a real file system is recorded. At this time, for the shadow file, only the access path is recorded, and the specific content of the encrypted target file is not involved. As described above, only after receiving the authorization operation request, the encrypted target file is pulled from the real file system by using the access path, and is decrypted by using the encrypted file system and then cached in the file.
In other embodiments, the method further comprises: and when an authorized closing request of the target file is acquired, the shadow file is cleared in the virtual disk. After the use is completed, the shadow file is automatically cleared in the virtual disk. The shadow file is created according to the requirement and is cleared according to the requirement, so that the memory space can be released in time, and the memory consumption is reduced.
The transparent encryption method provided by the embodiment redirects the operation request to the virtual disk file system only when the type of the operation request is determined to be the authorized operation request, so as to ensure the reliability of plaintext data.
In other embodiments, the method may further comprise:
(1) And when the operation request is an unauthorized operation request, redirecting the operation request to a real file system.
(2) And carrying out ciphertext operation on the target file based on the real file system.
For the unauthorized operation request, the operation request is directly redirected to a real file system for ciphertext operation, so that the safety of the target file is improved.
As shown in FIG. 4, when operating an application, an operation request (IRP) is generated and the redirection module determines the type of the IRP. For the authorized process, redirecting the IRP to the virtual disk file system; for unauthorized processes, the IRP is redirected directly to the real file system. The virtual disk file system comprises an encrypted file system and a virtual disk, a shadow FCB (file system file) is maintained in the encrypted file system and can be called as a shadow file, an access path is stored in the shadow file, real FCB file data are read from the real file system by using the access path, the read real FCB data are encrypted data, and the encrypted data are decrypted by the encrypted file system and then cached in the shadow file.
As a specific application example, as shown in fig. 5, taking opening an encrypted file for the first time as an example, a specific workflow is as follows:
(1) A user opens a D: \1.Doc file by using a document editing program, the document editing program calls an application interface for creating a file system to trigger system call, an IO manager analyzes parameters and then constructs an opening request containing opening operation information, the opening request is sent to a file system device stack of a D disk, a redirection module, antivirus software, a file system and the like are arranged on the device stack, and the access request can be processed in sequence.
(2) And filtering the opening request by a redirection module mounted on the equipment stack, acquiring process information and file information according to the opening request, and matching the process information and the file information with the current encrypted strategy. For authorized processes, they are redirected to the virtual disk.
(3) And the encrypted file system mounted on the virtual disk receives an opening request of an opening operation, and based on file information in the opening request, the encrypted file system sends a request for opening 1.Doc to a file system equipment stack of the D disk and waits for a processing result. Wherein, the processing result comprises failure of opening or success of opening. And the virtual disk creates a shadow file after receiving the processing result, initializes the member data in the shadow file, records a real file path in the shadow file, and returns the processing result to the IO manager and the upper application.
(4) The document editing program receives the processing result and the file handle, the file pointed by the file handle is redirected to the shadow file in the virtual disk, and the operation request of the subsequent file operation is directly sent to the encrypted file system for processing.
(5) If the unauthorized process accesses D \1.Doc, the redirection module directly issues the operation request to the real file system of D \ disk, and the accessed real file is the encrypted file maintained by the real file system.
The isolation of access of an authorized process and an unauthorized process is realized by establishing the shadow file, and for subsequent read-write and other operations of the document editing program, after the encrypted file system receives an operation request, file ciphertext data is read from the real file system, and the data is decrypted and returned to the document editing program; and during writing operation, encrypting the plaintext data of the document editing program and then sending the encrypted plaintext data to the real file system to realize transparent encryption and decryption.
In this embodiment, a transparent encryption device is further provided, which is used to implement the foregoing embodiments and preferred embodiments, and the description that has been already made is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
The present embodiment provides a transparent encryption apparatus, as shown in fig. 6, including:
an obtaining module 41, configured to obtain an operation request of a target file, where the operation request carries attribute information of the target file;
a determining module 42, configured to determine a type of the operation request based on the attribute information, where the type of the operation request includes an authorized operation request or an unauthorized operation request;
a redirecting module 43, configured to redirect the operation request to a virtual disk file system or a real file system according to the type of the operation request, where the virtual disk file system is configured to interact with the real file system, the virtual disk file is configured to cache the decrypted target file, and the real file system is configured to store the encrypted target file.
In some embodiments, the redirection module 43 includes:
the first redirection unit is used for redirecting the operation request to the virtual disk file system when the type of the operation request is an authorized operation request;
and the first processing unit is used for carrying out plaintext processing on the operation request based on the virtual disk file system.
In some embodiments, the virtual disk file system includes a virtual disk and an encrypted file system, where the virtual disk is used to mount the encrypted file system, and the encrypted file system is used to read the encrypted target file from the real file system for decryption.
In some embodiments, the first processing unit comprises:
the first reading subunit is configured to read a shadow file in the virtual disk to obtain an access path of the encrypted target file in the real file system;
the second reading subunit is configured to read the encrypted target file from the real file system based on the access path;
and the plaintext operation subunit is used for decrypting the encrypted target file by using the encrypted file system and caching a decryption result by using the shadow file so as to perform plaintext operation on the target file.
In some embodiments, the first reading subunit includes:
a creating subunit, configured to create a file in the virtual disk when an authorized opening request of the target file is obtained;
and the recording subunit is configured to record, in the shadow file, an access path of the encrypted target file in the real file system.
In some embodiments, the apparatus further comprises:
and the clearing module is used for clearing the shadow file in the virtual disk when the authorization closing request of the target file is obtained.
In some embodiments, the apparatus further comprises:
the first redirection unit is used for redirecting the operation request to the real file system when the operation request is an unauthorized operation request;
and the ciphertext operation unit is used for performing ciphertext operation on the target file based on the real file system.
The transparent encryption apparatus in this embodiment is presented in the form of functional units, where a unit refers to an ASIC circuit, a processor and memory executing one or more software or fixed programs, and/or other devices that may provide the above-described functionality.
Further functional descriptions of the modules are the same as those of the corresponding embodiments, and are not repeated herein.
An embodiment of the present invention further provides an electronic device, which has the transparent encryption apparatus shown in fig. 6.
Referring to fig. 7, fig. 7 is a schematic structural diagram of an electronic device according to an alternative embodiment of the present invention, and as shown in fig. 7, the electronic device may include: at least one processor 51, such as a CPU (Central Processing Unit), at least one communication interface 53, memory 54, at least one communication bus 52. Wherein a communication bus 52 is used to enable the connection communication between these components. The communication interface 53 may include a Display (Display) and a Keyboard (Keyboard), and the optional communication interface 53 may also include a standard wired interface and a standard wireless interface. The Memory 54 may be a high-speed RAM Memory (volatile Random Access Memory) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The memory 54 may alternatively be at least one memory device located remotely from the processor 51. Wherein the processor 51 may be in connection with the apparatus described in fig. 6, the memory 54 stores an application program, and the processor 51 calls the program code stored in the memory 54 for performing any of the above-mentioned method steps.
The communication bus 52 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus. The communication bus 52 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 7, but this is not intended to represent only one bus or type of bus.
The memory 54 may include a volatile memory (RAM), such as a random-access memory (RAM); the memory may also include a non-volatile memory (e.g., flash memory), a hard disk (HDD) or a solid-state drive (SSD); the memory 54 may also comprise a combination of the above types of memories.
The processor 51 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP.
The processor 51 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.
Optionally, the memory 54 is also used to store program instructions. The processor 51 may call program instructions to implement a transparent encryption method as shown in any of the embodiments of the present application.
An embodiment of the present invention further provides a non-transitory computer storage medium, where the computer storage medium stores computer-executable instructions, and the computer-executable instructions may execute the transparent encryption method in any method embodiment described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art can make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims (10)

1. A transparent encryption method, comprising:
acquiring an operation request of a target file, wherein the operation request carries attribute information of the target file;
determining the type of the operation request based on the attribute information, wherein the type of the operation request comprises an authorized operation request or an unauthorized operation request;
redirecting the operation request to a virtual disk file system or a real file system according to the type of the operation request, wherein the virtual disk file system is used for interacting with the real file system, the virtual disk file is used for caching the decrypted target file, and the real file system is used for storing the encrypted target file.
2. The method of claim 1, wherein redirecting the operation request to a virtual disk file system or a real file system according to the type of the operation request comprises:
when the type of the operation request is an authorized operation request, redirecting the operation request to the virtual disk file system;
and performing plaintext processing on the operation request based on the virtual disk file system.
3. The method according to claim 2, wherein the virtual disk file system comprises a virtual disk and an encrypted file system, the virtual disk is used for mounting the encrypted file system, and the encrypted file system is used for reading the encrypted target file from the real file system for decryption.
4. The method of claim 3, wherein the performing a plaintext operation on the target file based on the virtual disk file system comprises:
reading the shadow file in the virtual disk to obtain an access path of the encrypted target file in the real file system;
reading the encrypted target file from the real file system based on the access path;
and decrypting the encrypted target file by using an encrypted file system, and caching a decryption result by using the shadow file so as to perform plaintext operation on the target file.
5. The method according to claim 4, wherein the reading the shadow file in the virtual disk to obtain the encrypted access path of the target file in the real file system comprises:
when an authorized opening request of the target file is acquired, a file is created in the virtual disk;
and recording an access path of the encrypted target file in the real file system in the shadow file.
6. The method of claim 4, further comprising:
and when the request for closing the authorization of the target file is acquired, the shadow file is cleared in the virtual disk.
7. The method of claim 2, further comprising:
when the operation request is an unauthorized operation request, redirecting the operation request to the real file system;
and carrying out ciphertext operation on the target file based on the real file system.
8. A transparent encryption apparatus, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring an operation request of a target file, and the operation request carries attribute information of the target file;
a determining module, configured to determine a type of the operation request based on the attribute information, where the type of the operation request includes an authorized operation request or an unauthorized operation request;
and the redirection module is used for redirecting the operation request to a virtual disk file system or a real file system according to the type of the operation request, wherein the virtual disk file system is used for interacting with the real file system, the virtual disk file is used for caching the decrypted target file, and the real file system is used for storing the encrypted target file.
9. An electronic device, comprising:
a memory and a processor, the memory and the processor being communicatively connected to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the transparent encryption method of any one of claims 1-7.
10. A computer-readable storage medium storing computer instructions for causing a computer to perform the transparent encryption method of any one of claims 1-7.
CN202210906526.0A 2022-07-29 2022-07-29 Transparent encryption method and device, electronic equipment and storage medium Pending CN115455440A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210906526.0A CN115455440A (en) 2022-07-29 2022-07-29 Transparent encryption method and device, electronic equipment and storage medium
PCT/CN2022/141882 WO2024021496A1 (en) 2022-07-29 2022-12-26 Transparent encryption method and apparatus, electronic device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210906526.0A CN115455440A (en) 2022-07-29 2022-07-29 Transparent encryption method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115455440A true CN115455440A (en) 2022-12-09

Family

ID=84296897

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210906526.0A Pending CN115455440A (en) 2022-07-29 2022-07-29 Transparent encryption method and device, electronic equipment and storage medium

Country Status (2)

Country Link
CN (1) CN115455440A (en)
WO (1) WO2024021496A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024021496A1 (en) * 2022-07-29 2024-02-01 天翼云科技有限公司 Transparent encryption method and apparatus, electronic device, and storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104200176A (en) * 2014-08-28 2014-12-10 电子科技大学 System and method for carrying out transparent encryption and decryption on file in intelligent mobile terminal
CN105760779B (en) * 2016-02-18 2018-06-22 武汉理工大学 A kind of Two-way File encryption system based on FUSE
US10489600B2 (en) * 2017-04-28 2019-11-26 Dell Products L.P. Access path redirection for encrypted files
CN110569651A (en) * 2019-08-27 2019-12-13 北京明朝万达科技股份有限公司 file transparent encryption and decryption method and system based on domestic operating system
CN115455440A (en) * 2022-07-29 2022-12-09 天翼云科技有限公司 Transparent encryption method and device, electronic equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024021496A1 (en) * 2022-07-29 2024-02-01 天翼云科技有限公司 Transparent encryption method and apparatus, electronic device, and storage medium

Also Published As

Publication number Publication date
WO2024021496A1 (en) 2024-02-01

Similar Documents

Publication Publication Date Title
US7617541B2 (en) Method and/or system to authorize access to stored data
US7437429B2 (en) System and method for providing transparent access to distributed authoring and versioning files including encrypted files
CN102902914B (en) Method and device for achieving terminal tracelessness
CN102999732B (en) Multi-stage domain protection method and system based on information security level identifiers
EP1860590A2 (en) Posture-based data protection
TWI620093B (en) Method and apparatus for securing computer mass storage data
WO2011137743A1 (en) File protection method and system
CN108595982B (en) Secure computing architecture method and device based on multi-container separation processing
CN105760779B (en) A kind of Two-way File encryption system based on FUSE
WO2007008807A2 (en) Secure local storage of files
CN108322307B (en) Inter-container communication system and method based on kernel memory sharing
CN115146318B (en) Virtual disk safe storage method
EP3066639A1 (en) Method and device for image processing, and storage medium
WO2007056054A1 (en) Content control systems and methods
CN115455440A (en) Transparent encryption method and device, electronic equipment and storage medium
CN108229190B (en) Transparent encryption and decryption control method, device, program, storage medium and electronic equipment
JP4084971B2 (en) Data protection apparatus, data protection method and program used in electronic data exchange system
CN108399341B (en) Windows dual file management and control system based on mobile terminal
CN1293483C (en) Multistorage type physical buffer computer data safety protection method and device
CN116881934B (en) Encryption and decryption method, system and device for data and storage medium
CN115130142A (en) Encrypted file processing method and device and nonvolatile storage medium
CN107292196A (en) The reading/writing method and device of I/O data
JP2002244941A (en) Information processing system
CN112487445A (en) Hadoop system with file type entrance guard type storage encryption function and application method thereof
CN108616537A (en) A kind of conventional data encryption and decryption method and system of lower coupling

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination